High Security Pairing-Based Cryptography Revisited

(1)

High Security Pairing-Based Cryptography

Revisited

R. Granger, D. Page, and N.P. Smart Dept. Computer Science, Merchant Venturers Building,

Woodland Road, Bristol, BS8 1UB,

United Kingdom.

{granger,page,nigel}@cs.bris.ac.uk

Abstract. The security and performance of pairing based cryptography has provoked a large volume of research, in part because of the exciting new cryptographic schemes that it underpins. We re-examine how one should implement pairings over ordinary elliptic curves for various prac-tical levels of security. We conclude, contrary to prior work, that the Tate pairing is more efficient than the Weil pairing for all such security levels. This is achieved by using efficient exponentiation techniques in the cyclotomic subgroup backed by efficient squaring routines within the same subgroup.1

1 Introduction

In commercial cryptographic software libraries one typically employs Occam’s Razor in limiting the number of implemented primitives and schemes to a mini-mum. The advantages of this approach are threefold: it reduces the programming, maintainence and security validation workload; it enables one to specialise and hence highly optimise the core operations; and it reduces the library footprint and usage of system resources. Around the time it was first proposed, one of the main criticisms levelled at standard elliptic curve cryptography was that there were too many options; it was hard for non-experts to decide on and construct the types of field and curve needed to satisfy performance and security con-straints. Two decades later, pairing based cryptography is in a similar state in the sense that there are a huge range of parameterisation options, algorithmic choices and subtle trade-offs between the two. Hence, there is a real need to focus on a family of parameters which are flexible but offer efficient arithmetic and allow one to focus on a limited number of cases.

(2)

Generally speaking, a pairing is a non-degenerate bilinear map t:G1×G2−→GT.

Here we assume this pairing takes the concrete form ˆ

t:E(_Fp)×E(Fpk/2)−→_F×_pk

where E is the quadratic twist of an elliptic curve E defined over _F_pk/2. We

restrict our attention to the case of ordinary elliptic curves and assume that #E(Fp) is divisible by a large prime nwhich also divides pk−1 i.e.,n is the

order of the subgroups on which the pairing based protocols will be based. We let the respective subgroups of order nof the three groups involved be denoted G1G2 andGT as is common in various papers on the subject.

Koblitz and Menezes [10] introduced the concept of pairing friendly fields. These are Kummer extensions ofFp defined by the polynomial

f(X) =Xk+f0

for a values of p≡1 (mod 12) and k = 2i₃j_{. Generally one assumes that} _k _is

even, which aids in efficiency due to the well known denominator elimination trick. Following [10] we particularly focus on the cases k = 6, 12 and 24. We letf(θ) = 0 and defineFpk =_Fp[θ]. Many protocols based on pairings perform

arithmetic in the cyclotomic subgroup of F×pk, which is the subgroup of order

Φk(p). We denote this subgroup by GΦk(p); the group GT in the pairing above is contained in GΦk(p). Hence if one is to implement pairing based protocols efficiently with such fields then one needs to be able to implement arithmetic efficiently.

The conclusion of [10] is that for high security levels the Weil pairing is to be preferred over the Tate pairing. The main result of this paper is that by optimising the exponentiation method used in the Tate pairing calculation one can in fact conclude the opposite: that in all cases the Tate pairing is the more efficient algorithm for all practical security levels.

In addition, we also look at efficient arithmetic in the groupGΦk(p)which will speed up both the Tate pairing and various protocols. This is inspired by work of Lenstra and Stam [14, 15] who introduce such efficient arithmetic in a specific family of finite fields of degree six, which are different from the pairing friendly fields. In particular, by restricting tok= 6 Lenstra and Stam present algorithms for arithmetic in the cyclotomic extension ofFp defined by the polynomial

g(X) =X6+X3+ 1

when p ≡ 2 or 5 (mod 9). We shall call such constructions cyclotomic fields of degree 6 in this paper. Lenstra and Stam present efficient squaring routines both for the finite field _Fp6 and for the cyclotomic subgroup G_Φ

6(p) of order

Φ6(p), again GT is contained inGΦ6(p). We letg(ζ) = 0 and define Fp6, in this

(3)

to the pairing friendly fields, can provide more efficient pairing algorithms when k= 6. We present an analogue of these results for pairing friendly fields which provides some efficiency improvement, but not as much as that achieved by Lenstra and Stam for cyclotomic fields of degree six. We leave it as an open research problem to generalise the results of Lenstra and Stam to cyclotomic fields of degree different from six. The only generalisation known is for fields of degree 6·5m _{[8], for which Lenstra and Stam’s technique trivially applies.}

The paper is organised as follows. In Section 2 we recap on the most efficient field arithmetic known for the two cases of finite fields mentioned above. In Section 3 we briefly recap on some standard formulae for the cost of elliptic curve operations. In Section 4 we recap on the model for estimating the cost pairings which was proposed by Koblitz and Menezes. Then in Section 5 we detail the implications of this model for our choice of finite fields.

2 Finite Field Operations

We letm, M , M(resp.s, S, S) denote the time for multiplication (resp. squaring) in the fields _Fp,Fpk/2 and _Fpk. In our analysis we shall assume that addition

operations are cheap, however in a practical implementation for certain bit sizes the operation counts and algorithm choices we give may not be optimal due to this simplifying assumption.

We first note that if one is computing products (resp. squares) of polynomials of degree 2i₃j₋_{1 over}

Fpthen using the Karatsuba and Toom-Cook methods for

multiplication and squaring this requires v(k) multiplications (resp. squarings) in the fieldFp, wherev(k) = 3i5j.

2.1 Pairing Friendly Fields

As before we let k= 2i3j ≥6, letpdenote a prime congruent to 1 modulo 12 and modulo kand define_F_pk via the polynomial f(X) = Xk+f0. We assume

throughout thatf0has been chosen so that multiplication byf0can be performed

quickly by simple additions rather than a full multiplication. Arithmetic in the subfield_F_pk/2is performed using the polynomialXk/2+f0, and mapping between

the two representations is relatively straightforward.

The best algorithms for multiplication and squaring in _Fpk and _F_pk/2 are

the standard ones based on Karatsuba and Toom-Cook. Hence, in this case we obtain

M =M/3 S=S/3 and

M ≈v(k)m S≈v(k)s wherev(k) = 3i₅j_.

Inversion in the fieldFpk is computed by reduction to inversion in the subfield Fpk/2. If we letα=P

k−1

(4)

whereα0, α1∈Fpk/2 and are given by

α0= k/2−1

X

i=0

a2iθ2i andα1= k/2−1

X

i=0

a2i+1θ2i.

We can thus compute

∆=α2₀−θ2α2₁, and

α−1=α0−α1θ ∆ .

Inversion in Fpk is therefore accomplished using two squarings, one inversion, and two multiplications inFpk/2. Similarly, using the same idea one can reduce

inversion in a cubic extension to three squarings, eleven multiplications and one inversion in the base field [9]. Iterating down through the subfields, for pairing-friendly fields inversion can thus be performed with just one inversion inFp, and

a handful of multiplications. We summarize these costs, for the extensions which will interest us,

I2= 2s+ 2m+ι, I3= 3s+ 11m+ι,

I4= 8s+ 8m+ι, I6= 13s+ 35m+ι,

I8= 26s+ 26m+ι, I12= 43s+ 51m+ι,

I24= 133s+ 141m+ι.

whereItdenotes the cost of inversion inFpt andιdenotes the cost of inversion in _Fp.

The Frobenius operation in pairing friendly fields is also efficiently computed as follows. If we defineFpk =_Fp[θ]/(f(θ)) then the Frobenius operation on the

polynomial generatorθcan be easily determined via θp=θk(p−1)/k+1= (−f0)(p−1)/kθ.

For later use we letg= (−f0)(p−1)/k ∈Fp henceθp =g·θ. Also now note that

powers of the Frobenius operation are also easy to compute via θpi =gi·θ.

We also note that since k is even and −f0 is a quadratic non-residue that we

have

gk/2= (−f0)(p−1)/2=−1.

In summary we conclude the operation counts for the various cases are as follows: Fpk/2 _Fpk

(5)

We now turn to the case of arithmetic in the subgroupGΦk(p). For this subgroup we have that inversion comes for free. Letα∈GΦk(p), then since Φk(p) divides pk/2_{+ 1 we have that}

α−1=αpk/2.

This leads to an inversion operation which can be performed using only k/2 negations in_Fpk.

We can also improve the performance of squaring in this subgroup using a trick originally proposed by Lenstra and Stam [14, 15] in the context of finite extension fields defined by cyclotomic polynomials of degree 6. We first define

α=

k−1

X

i=0

aiθi

where we now think of the coefficients ai as variables. We then compute

sym-bolically αpk/3 and αpk/6. One can then derive a set of equations defining the elements of the groupGΦk(p)via

αpk/3·α−αpk/6 =

k−1

X

i=0

viθi.

The variety defined byv0=v1 =· · · =vk−1 = 0 defines the set of elements of

GΦk(p). This follows since

Φt(X) =Xk/3−Xk/6+ 1

for all values of k arising in pairing friendly fields. As an example for the case k= 6 we obtain the set of equations

v0=−a0+a02+f0a5a1−f0a32+f0a2a4,

v1=g·(−a1+ 2f0a5a2−f0a3a4+a0a1),

v2= (1−g)· a2−a12+a0a2−f0a5a3+f0a42,

v3=a3+ 2a0a3−a2a1+f0a5a4,

v4=g· a0a4+f0a52+a3a1−a22+a4

,

v5= (1−g)·(−a5+a0a5−2a4a1+a3a2).

Note that for anyk×kmatrixΓ that

α2=α2+b·(Γ·vt), whereb= (1, θ, θ2_{, . . . , θ}k−1_{) and}_v _{= (}_v

0, v1, . . . , vk−1). Hence, to find different

forms of the squaring operation we simply need to select a matrix Γ which produces equations for squaring which are efficient.

A choice for Γ which seems to work well for k = 6,12 and 24 is to set Γ = diag(d1, d2, d3, d1, d2, d3, . . . , d1, d2, d3) where

(6)

In this case for k = 6 we obtain the following formulae for squaring, if β = P5

i=0biθi=α2,

b0=−3f0a32+ 3a02−2a0,

b1=−6f0a5a2+ 2a1,

b2=−3f0a42+ 3a12−2a2,

b3= 6a0a3+ 2a3,

b4= 3a22−3f0a52−2a4,

b5= 6a4a1+ 2a5.

The formulae fork= 12 andk= 24 can be found in the Appendix.

Ignoring multiplication by f0 and by small constants we then derive the

following table detailing the comparative cost of squaring in both _F_pk and the subgroupGΦk(p).

k _Fpk GΦk(p) 6 15s 6s+ 3m 12 45s 12s+ 18m 24 135s24s+ 84m

Hence, we see that we have a significant improvement in the squaring operation for the subgroupGΦk(p)although this improvement decreases as kincreases.

2.2 Cyclotomic Fields of Degree 6

We recap on the techniques of [14, 15] for the finite fields Fp[ζ], with p ≡ 2

(mod 9). Elements inFp6 are represented in the basis{ζ, ζ2, ζ3, ζ4, ζ5, ζ6}. Using

this representation multiplication in Fp6 can be performed using 15

multiplica-tions in Fp (note that [14] gives the figure as 18 multiplications as the paper

only considers Karatsuba and not Toom-Cook multiplication).

Squaring can be performed more efficiently using the fact that if we write α=α0ζ+α1ζ4, where αi are polynomials inζ of degree at most two, then one

has

α2= (α0−α1)(α0+α1)ζ2+ (2α0−α1)α1ζ5.

Since, theαiare of degree at most two this above formulae requires 10

multipli-cation inFpto perform a squaring operation inFp6.

Arithmetic in the subfieldFp3 is performed as in [9]. We setψ=ζ+ζ−1and

define Fp3 =_Fp[ψ]. As a basis for Fp3 we take {1, ψ, ψ2−2}. Via Toom-Cook

multiplication (resp. squaring) requires 5 multiplications (resp. squares) in Fp.

As noted in Section 2.1 inversion inFp3 can be performed in 11 multiplications

in Fp and one inversion inFp.

Using this subfield inversion an inversion operation can be defined for_Fp6.This

inversion is carried out, in the language of [9], by mapping our_Fp6 element to

(7)

and then mapping back to our representation. The conversion between repre-sentations requires four_Fpmultiplications, whilst the inversion in theF2

repre-sentation requires 4S plus application of the inversion in _Fp3. Hence, requiring

a total of 26 multiplications in_Fpand one inversion inFp.

We now turn to the subgroup GΦ6(p). As before, inversion comes for free

via the operation of the Frobenius map. Multiplication is performed just as for the full finite field, however squaring can be performed significantly faster using the equations contained in [14, 15]. If we let α=P5

i=0aiζi+1 ∈GΦ6(p) and set

β =P5

i=0biζi+1=α2 then we have

b0= 2a1+ 3a4(a4−2a1),

b1= 2a0+ 3(a0+a3)(a0−a3),

b2=−2a5+ 3a5(a5−2a2),

b3= 2(a1−a4) + 3a1(a1−2a4),

b4= 2(a0−a3) + 3a3(2a0−a3),

b5=−2a2+ 3a2(a2−2a5).

Hence, squaring requires six Fp multiplications. The operation counts for the

various cases are as summarised by the following table: Fp3 _Fp6 G_Φ₆_(p)

Mul Sqr Mul Sqr Mul Sqr 5m 5m15m10m15m6m

2.3 Exponentiation in GΦk(p)

Finally, we address the issue of exponentiation, by an exponent e, of elements in the cyclotomic subgroupGΦk(p) ofF

×

pk which has order divisible by n. Using Lucas sequences [13] this can be accomplished in time

CLuc(e) = (M+S) log2e.

However, one could also use exponentiation via standard signed sliding window methods [4] since inversion is cheap in GΦk(p). If e ≤ pthen the best way to perform the exponentiation, using windows of width at leastr, will take time

CSSW(e) =S(1 + log2e) +M

_log

2e

r+ 2 + (2

r−2₋₁

whereSdenotes the time needed to perform a squaring operation inGΦk(p). We also need to store 2r−2_{elements during the exponentiation algorithm.}

(8)

exponentiation. Using the techniques of Avanzi [1], we can estimate the time needed to perform such a multi-exponentiation by

CbigSSW(e) = (d+ log2p)S+

d(2r−1−1) + log2e r+ 2 −1

M

using windows of widthr, where d=dlog₂e/log₂pe. The precomputation stor-age can be reduced using techniques described in [2].

Note that fork= 6 one can also use XTR [11, 16] to gain a slight efficiency advantage over these methods if this is desirable [9], at a cost of altering particu-lar protocols accordingly since multiplication is not straightforward in this case. Fork= 12 and 24, one can also employ XTR defined overFp2 and_F_p4

respec-tively [12], however further work is required to determine if arithmetic can be made as efficient as in the original scheme for cases of interest in pairing-based cryptography.

3 Elliptic Curve Operations

In pairing based protocols we also need to conduct elliptic curve group opera-tions. These are either on the main base curve E(_Fp), or on the twisted curve

E(_F_pk/2). We assume these curves take the form

E(_Fp) :Y2=X3−3X+B

and

E(_F_pk/2) :χY2=X3−3X+B

whereχ is a quadratic non-residue inFpk/2 for which multiplication byχ is for

free. Whether one should use affine or standard Jacobian projective coordinates are used, depends on the ratioι/mand on the size of thek/2. It turns out that in some instances arithmetic inE(Fpk/2) is better performed in affine coordinates.

The various point addition and doubling times are summarized in the following table.

E(Fp) E(Fpk/2)

Projective Affine Addition (A) 12m+ 4s12M+ 4S2M + 1S+Ik/2

Mixed Addition (AM) 8m+ 3s 8M + 3S

-Doubling (D) 4m+ 4s 4M + 4S 2M + 2S+Ik/2

We assume that exponentiation is performed via a signed sliding window method and mixed/affine addition

ECSSW(e) =D(1 + log2e) +AM

_log

2e

r+ 2 + 2

r−2₋₁

.

(9)

In some instances we wish to multiply by a random element in_Zn, however

in other instances (for example in theMapToPointoperation within the Boneh– Franklin encryption scheme [5]) we need to multiply by the cofactor. If we let log₂p=ρ·log₂nthen the quantity 2ρ_{measures how big the elliptic curve cofactor}

is for the curveE(Fp); a similar measure for the twisted curve is (kρ/2−1) log2n.

4 Application to Pairing Based Cryptography

In this section we wish to investigate the application of our techniques to pair-ing based cryptography in particular we focus on the case of non-superspair-ingular curves of embedding degree k ≥6. We follow the methodology of Koblitz and Menezes [10] which we recap on here, however we express our formulae in terms of total number of _Fp operations as opposed to operations per bit. This is

be-cause this enables us to compare our sliding windows method in a more accurate manner and to also compare how other components of the protocols are affected by the choice of field.

Following Koblitz and Menezes we look at the cost of computing a Full-Miller operation or a Miller-Lite operation. The cost of these two operations, assuming projective coordinates are used, is

CFull= (km+ 4S+ 6M+S+M) log2n

CLite= (4s+ (k+ 7)m+S+M) log2n.

In some instances one can more easily compute the Full-Miller algorithm by using affine coordinates in the main loop. In this case the cost is given by

CFull= (2S+ 2M +Ik/2+km+S+M) log2n.

In computing the Tate pairing one executes one Miller-Lite operation and then an exponentiation for an exponent given byΦt(p)/nin the subgroupGΦk(p). The bit length ofΦt(p)/n is estimated by

φ(k) log2p−log2n,

which can be expressed as

(φ(k)ρ−1) log2n.

Thus a Tate pairing computation requires time CTate=CLuc(Φt(p)/n) +CLite

or

CTate=CbigSSW(Φt(p)/n) +CLite.

(10)

with the analysis of Koblitz and Menezes but does slightly underestimate the cost in both cases.

The Weil pairing as pointed out by Koblitz and Menezes, could be more efficient, as it does not require an exponentiation by a large number. It requires time

CWeil=CLite+CFull+S.

We shall show in all cases of cryptographic relevance that the Weil pairing is always slower than the Tate pairing.

5 Results

In what follows we make the simplifying assumption that m ≈ s. We wish to investigate what happens to pairing based protocols as the security level increases. We fix on the following parameter sizes to demonstrate the application of our model

Case Security k log₂nlog₂p

A 80 6 160 160

B 128 6 256 512

C 128 12 256 256

D 192 6 384 1365

E 192 12 384 683

F 256 6 512 2560

G 256 12 512 1280

H 256 24 512 640

We do not discuss how such curves are generated, nor do we make use of special properties of the curves. For example when k= 12 with current technology one can only achieve n≈ pby using the method of Barreto and Naehrig [3]. This results in curves with complex multiplication by D=−3, our analysis takes no account of the special optimizations which can be applied to such curves.

For each case we first present the operation counts, in terms of multiplica-tions inFp, for the operations which do not appear to depend on the exact finite

(11)

E(_Fp) E(Fpk/2)

Case n c n c

A 1614 (4) - 8071 (4) 15739 (5)

B 2535 (5) 2535 (5) 12676 (5) 60767 (8) C 2535 (5) - 34813 (5)(A) 169000 (7)(A) D 3760 (6) 9369 (6) 18802 (5) 172356 (8) E 3760 (5) 2946 (5) 51801 (5)(A) 483113 (8)(A) F 4973 (6) 19236 (7) 24865 (6) 329585 (9) G 4973 (6) 7373 (6) 68671 (6)(A) 926142 (9)(A) H 4973 (6) 1229 (4) 164573 (6)(A) 2.2·106 _(9)(A)

We now turn to the operations which depend on the field representation, i.e. whether we use a pairing friendly or a cyclotomic field extension. There are two operations which are important, the pairing computation itself and exponentia-tion inGΦk(p)by an element ofZn. The pairing computation can itself either be computed by the Weil or Tate pairings. The results, in terms of estimated multi-plications inFp, are presented in the following table. The (r) in the Tate column

denotes the window size in the final exponentiation step, if Lucas sequences are faster we denote this by (L) and the operation count is for the application of Lucas sequences. In all cases using the Weil pairing method which used affine coordinates in the Full-Miller operation loop was the most efficient.

Pairing Friendly Cyclotomic Field

Pairing Exp in Pairing Exp in

Case Weil Tate GΦk(p) Weil Tate GΦk(p) A 19855 9120 (L) 1411 (4) 18250 8247 (3) 1411 (4) B 31759 18738 (5) 2195 (5) 29194 15916 (5) 2195 (5)

C 83757 43703 (4) 3502 (5) - -

-D 47631 34664 (6) 3237 (5) 43786 29643 (6) 3237 (5)

E 125613 81751 (5) 5093 (5) - -

-F 63503 56677 (6) 4263 (6) 58378 46431 (6) 4263 (6)

G 167469 127831 (6) 6633 (6) - -

-H 446087 331078 (5) 13743 (6) - -

-We see that for all fields the Tate pairing is always more efficient than the -Weil pairing, at least for the security sizes that are likely to be used in practice. This is more due to the use of the efficient exponentiation algorithm as compared to the efficient squaring algorithm forGΦk(p). In addition Lucas sequences are only more efficient than the signed sliding window method for very small security parameters.

To compare the different values ofkwe need to estimate the relative differ-ence in time needed to compute a multiplication in_Fp, for the different sizes of

p. If we assume that each finite field multiplication is performed using a stan-dard interleaved Montgomery multiplication then the total number of 32-bit by 32-bit multiplication instructions which are needed to be performed per _Fp

multiplication is given by

(12)

where t= log₂p/32. This leads us to the following table, where we present the number of 32-bit by 32-bit multiplication instructions needed for the various operations.

Curve Operations Pairing Friendly Cyclotomic Field E(_Fp) E(Fpk/2) Exp in Pairing Exp in

Case n c n c Pairing GΦk(p) Pairing GΦk(p)

A 9.7·104 _{- 4}_.₈_·₁₀5₉_.₄_·₁₀4₅_.₄_·₁₀5₈_.₅_·₁₀4₄_.₉_·₁₀5 ₈_.₄_·₁₀5

B 1.3·106₁_.₃_·₁₀6₆_.₈_·₁₀6₃_.₃_·₁₀7₁_.₀_·₁₀7₁_.₁_·₁₀6₈_.₆_·₁₀6 ₁_.₂_·₁₀6

C 3.6·105 _{- 5}_.₀_·₁₀6₂_.₄_·₁₀7₆_.₂_·₁₀6₁_.₁_·₁₀6 _-

-D 1.4·107₃_.₄_·₁₀7₇_.₀_·₁₀7₆_.₄_·₁₀8₁_.₃_·₁₀8₁_.₂_·₁₀7₁_.₁_·₁₀8 ₁_.₂_·₁₀7

E 3.6·106₂_.₈_·₁₀6₄_.₉_·₁₀7₄_.₆_·₁₀8₇_.₈_·₁₀7₄_.₈_·₁₀6 _-

-F 6.4·107₂_.₅_·₁₀8₃_.₂_·₁₀8₄_.₃_·₁₀9₇_.₃_·₁₀8₅_.₅_·₁₀7₆_.₀_·₁₀8 ₅_.₅_·₁₀7

G 1.6·107₂_.₄_·₁₀7₂_.₂_·₁₀8₃_.₀_·₁₀9₄_.₂_·₁₀8₂_.₂_·₁₀7 _-

-H 4.0·106₁_.₀_·₁₀6₁_.₄_·₁₀8₁_.₈_·₁₀9₂_.₈_·₁₀8₁_.₁_·₁₀7 _-

-From the table one can see that the main advantage in using values of kwhich are larger than 6 is in the basic elliptic curve operations overFp, rather than in

the pairing computation. For the pairing computation one gains some advantage for using large values ofk, but this is not as pronounced as for the elliptic curve operations.

However, elliptic curve operations are relatively cheap in comparison to pair-ing calculation and so the performance improvement will not be so pronounced. Except, for protocols in which one party only needs to perform elliptic curve operations inFp, such as the encryptor in the Sakai–Kasahara KEM [7]. It does

however imply that for pairing based protocols one should not neglect selecting parameter values which speed up the elliptic curve operations and not just the pairing calculation.

However, our estimates are on the conservative side for arithmetic in cyclo-tomic fields at high security levels. This is for a number of reasons. The overhead in not having to deal with different values ofkandf0means that the library

over-head in using cyclotomic fields of degree six will be less than for pairing friendly fields. Recall, we have not given accurate cycle counts, but simply estimated the number of multiplication instructions needed.

One should also bear in mind that larger values ofkmean that one can shrink the bandwidth required in communication if one is communicating elements in E(Fp), since a larger value ofkcorresponds to a smaller value ofp.

6 Acknowledgements

The authors would like to thank Mike Scott, for a some insightful comments which improved this paper.

References

(13)

2. R. M. Avanzi and P. Mihailescu.Generic efficient arithmetic algorithms for PAFFs (Processor Adequate Finite Fields) and related algebraic structures. In Selected Areas in Cryptology – SAC 2003, Springer-Verlag LNCS 3006, 320–334, 2004.

3. P.S.L.M. Barreto and M. Naehrig. Pairing-friendly elliptic curves of prime order. Preprint, 2005.

4. I.F. Blake, G. Seroussi and N.P. Smart. Elliptic Curves in Cryptography. Cam-bridge University Press, 1999.

5. D. Boneh and M. Franklin.Identity-based encryption from the Weil pairing.SIAM Journal of Computing,32, 586–615, 2003.

6. F. Brezing and A. Weng.Elliptic Curves Suitable for Pairing Based Cryptography. Designs, Codes and Cryptography,37, 133–141, 2005.

7. M. Cheng, L. Chen, J. Malone-Lee and N.P. Smart. An Efficient ID-KEM Based On The Sakai-Kasahara Key Construction. To appear, 2006.

8. M. van Dijk, R. Granger, D. Page, K. Rubin, A. Silverberg, M. Stam and D. Woodruff. Practical cryptography in high dimensional tori. In Advances in Cryp-tology – EUROCRYPT 2005, Springer-Verlag LNCS 3494, 234–250, 2005.

9. R. Granger, D. Page and M. Stam. A Comparison of CEILIDH and XTR. In Algorithmic Number Theory Symposium – ANTS VI, Springer-Verlag LNCS 3076, 235–249, 2004.

10. N. Koblitz and A. Menezes. Pairing-based Cryptography at High Security Levels. In Cryptography and Coding, Springer-Verlag LNCS 3796, 13–36, 2005.

11. A. K. Lenstra and E. Verheul. The XTR Public Key System. In Advances in Cryptology – CRYPTO 2000, Springer LNCS 1880, 1–19, 2000.

12. S. Lim, S. Kim, I. Yie, J. Kim and H. Lee.XTR extended to GF(p6m). In Selected Areas in Cryptography – SAC 2001, Springer LNCS 2259, 301–312, 2001.

13. M. Scott and P.S.L.M. Barreto. Compressed Pairings.In Advances in Cryptology – CRYPTO 2004, Springer-Verlag LNCS 3152, 140–156, 2004.

14. M. Stam. Speeding up Subgroup Cryptosystems. PhD Thesis, T.U. Eindhoven, 2003.

15. M. Stam and A. Lenstra. Efficient Subgroup Exponentiation in Quadratic and Sixth Degree Extensions. In Cryptographic Hardware and Embedded Systems – CHES 2002, Springer-Verlag LNCS 2523, 318–332, 2002.

(14)

A

Squaring formulae for

G

Φk(p)

for pairing friendly fields

and

k

= 12 and

k

= 24

A.1 k= 12

b0= 3a02−6f0a3a9−3f0a62−2a0,

b1=−6f0a11a2−6f0a5a8+ 2a1,

b2= 3a12−6f0a4a10−3f0a72−2a2,

b3=−6f0a6a9+ 6a0a3+ 2a3,

b4=−3f0a82−6f0a11a5+ 3a22−2a4,

b5=−6f0a7a10+ 6a4a1+ 2a5,

b6=−3f0a92+ 6a0a6+ 3a32−2a6,

b7= 6a5a2−6f0a11a8+ 2a7,

b8=−3f0a102+ 3a42+ 6a7a1−2a8,

b9= 6a6a3+ 6a0a9+ 2a9,

b10=−3f0a112+ 3a52+ 6a8a2−2a10,

(15)

A.2 k= 24

b0=−2a0+ 3a02−3f0a122−6f0a3a21−6f0a6a18−6f0a9a15,

b1= 2a1−6f0a2a23−6f0a5a20−6f0a8a17−6f0a11a14,

b2=−2a2−6f0a4a22−6f0a10a16−3f0a132−6f0a7a19+ 3a12,

b3= 2a3−6f0a9a18+ 6a0a3−6f0a6a21−6f0a12a15,

b4=−2a4−3f0a142−6f0a5a23−6f0a8a20−6f0a11a17+ 3a22,

b5= 2a5−6f0a13a16−6f0a10a19+ 6a4a1−6f0a7a22,

b6=−2a6+ 6a0a6−3f0a152−6f0a12a18−6f0a9a21+ 3a32,

b7= 2a7−6f0a14a17−6f0a11a20−6f0a8a23+ 6a2a5,

b8=−2a8−6f0a10a22−6f0a13a19+ 3a42+ 6a7a1−3f0a162,

b9= 2a9+ 6a0a9−6f0a12a21−6f0a15a18+ 6a6a3,

b10=−2a10−3f0a172−6f0a11a23−6f0a14a20+ 6a2a8+ 3a52,

b11= 2a11−6f0a13a22−6f0a16a19+ 6a10a1+ 6a7a4,

b12=−2a12+ 6a0a12+ 6a9a3−3f0a182−6f0a15a21+ 3a62,

b13= 2a13−6f0a17a20−6f0a14a23+ 6a5a8+ 6a2a11,

b14=−2a14+ 6a13a1+ 6a10a4−3f0a192−6f0a16a22+ 3a72,

b15= 2a15+ 6a0a15+ 6a12a3+ 6a9a6−6f0a18a21,

b16=−2a16−3f0a202−6f0a17a23+ 6a5a11+ 6a2a14+ 3a82,

b17= 2a17−6f0a19a22+ 6a13a4+ 6a10a7+ 6a16a1,

b18=−2a18+ 6a0a18+ 6a15a3+ 6a12a6−3f0a212+ 3a92,

b19= 2a19−6f0a20a23+ 6a5a14+ 6a8a11+ 6a2a17,

b20=−2a20−3f0a222+ 6a19a1+ 6a16a4+ 6a13a7+ 3a102,

b21= 2a21+ 6a0a21+ 6a18a3+ 6a15a6+ 6a12a9,

b22=−2a22−3f0a232+ 6a5a17+ 6a8a14+ 6a2a20+ 3a112,